How to Protect Your Backups against Ransomware Attacks

Abraham Smith

Graphic image of a lock with a dark background.
Ransomware attacks can target your backups!

Ask any casual computer user about theirs biggest security concerns, and they will probably tell you that they are worried ransomware attacks. These attacks occur when a cyber criminal steals your data or files and demands a ransom.

Ransomware is a ubiquitous threat to anyone using a computer or mobile device. Worse, attacks seem to be getting more sophisticated and dangerous every year.

However, one of the worst things about modern ransomware is theirs Ability to attack backups. Isn’t that a frightening thought?

In this article, I will discuss how and why some ransomware target backups and what you can do about it.

Why does ransomware attack backups?

Ransomware attacks backups for one really simple reason: money.

Consider the nature of even the simplest ransomware. The ransomware silently installs itself on a target device and starts encrypting the victim’s files. Once the encryption process is over, the ransomware will display a notification informing you that your files have been encrypted. consequently, pay for a decryption key is the only way to get their data back.

With that in mind, imagine you just lost all your data to a ransomware attack. At this point you have two options to retrieve your data. One possibility is pay the ransom and hope you get a decryption key.

Of course, since you are dealing with a criminal, you have no guarantees. You may never get the decryption key or the ransomware author may try to extort additional funds from you.

Your Another option is to restore a backup (assuming you have one). This is the best option as the operation costs you nothing (unlike paying the ransom). In addition, you are not dependent on criminals giving you access to your data.

The problem with this is that cybercriminals want to get paid and know that your backup is the only thing standing between them and a hefty payment. Therefore, it is clearly in the ransomware author’s best interest to disable or destroy your backup. At this point, you may have no choice but to pay the ransom.

So how exactly do these attacks target your backups? Let’s explore this further.

How do ransomware attacks target backups?

Before I answer how ransomware attacks on backups work, I need to explain that ransomware falls into this category 2 general categories: automated and human-powered attacks. Let’s discuss each one in more detail.

1. Automated ransomware

Automated ransomware is purely opportunistic. It occurs when you click on a bad link. This type of ransomware has certain built-in abilities and cannot do anything that exceeds those abilities.

Mostly automated ransomware is not designed for it attack backups. This is because each company’s backups perform differently. An attack that might work against one company might not work against another.

Despite this, there are automated ransomware attacks that target backups. Even ransomware that doesn’t specifically target backup can take other steps, such as: Disable Windows File History.

Screenshot of the Previous Versions tab in Windows File History.
Windows File History helps you revert files to a previous version.

2. Human-powered ransomware

Human-powered ransomware, on the other hand, is more likely much more focused. Typically, an attacker breaks into a network and researches the victim’s business while exfiltrating their data. At the right time, the attacker will inject and execute ransomware on the compromised network. A human controls this attack, meaning the attacker’s skills are the only limitations.

Human-powered ransomware is much more dangerous for backups because The attack is not limited to pre-programmed logic. A human can physically disable or destroy backups at will.

A notable example is the attacks by the Black Basta gang. Besides deleting virtual machines and other destructive activities, these attacks are Target Backup Agents.

As these attacks become more destructive, it has become even more important to ensure you protect your backups against attacks.

How to protect your backups from ransomware attacks

A ransomware attack can happen at any time, and you should prepare yourself and your backups for it. You have several options to make your backups less vulnerable to attack.

Follow backup best practices

The most important thing you can do to protect your backups is hold tight Backup best practices. More specifically, this means keeping your backup software and agents up to date. You should also use dedicated service accounts whenever possible.

Screenshot of the Backup tab in Windows Settings.
You can enable automatic backups through Windows settings.

Use immutable backup destinations

Another best practice is to keep your backups on immutable storage. You cannot change immutable storage. In other words, if you stored your backup on immutable storage, an attacker cannot delete or encrypt those backups.

The caveat, however, is that such backups are often protected with a digital certificate or encryption key. If the attacker deletes these mechanisms, you could lose access to your backups (assuming you use a certificate at all). Therefore, it is important to ensure that you keep copies of any keys or certificates in a safe place.

Use air-gap backups

Air-gap backups are backups that are Completelyj disconnected from the system created once (think tape backups or backups written to removable hard drives).

An attacker cannot compromise an unmounted backup. Of course, such fuses have one longer recovery point objective (RPO) as standard backups. This means that they are usually used as secondary protection instead of serving as your company’s primary backup.

These are some best practices you can implement to protect yourself from a cyber criminal trying to infiltrate your backups. Let’s finish!

The final result

Ransomware can, and sometimes does, attack backups. Therefore, it is extremely important to ensure that you take steps to harden your backups so that they are not compromised or disabled during an attack.

Remember not to do this underestimate the skills of a cybercriminal. It’s easy to believe that your systems, networks and backups are secure. This is a mistake. Take the necessary steps and precautions to ensure you are on the safe side. solutions such as Keep your backup software up to date and Using air-gap backups are important enough to consider for implementation.

Do you have more questions about ransomware attacks? Try this FAQ and resources sections below!

FAQ

What is Windows File History?

Windows file history is a feature of the Windows operating system that preserves previous document file versions. Even though the file history feature is not a true backup, it allows you to revert to a previous file version.

Why do some ransomware attacks target Windows file history?

When ransomware encrypts a file, the file history feature interprets this activity as a file change; essentially a new file version. However, the file history feature allows the file to revert to its previous unencrypted state. Ransomware authors want to prevent victims from using file history or other means to even get their data back.

Do all ransomware attacks target backups?

No, you have many ransomware variants that don’t try to corrupt backups. Nonetheless, the practice is becoming more common. It’s important to anticipate that your backups are subject to attack and plan accordingly.

Are there any dangers associated with air-gap backups?

If you need to restore an air-gap backup, you need to make sure the system is clean before you start the restore. Otherwise, your air-gap backup might get infected when mounted.

Are there other important best practices that should be considered?

Make sure that the backup solution you use allows you to restore only the ransomware-affected items. Backups tend to be a little older than your company’s live data, so you don’t want to restore anything you don’t have to. Otherwise you could lose some of your data.

resources

TechGenix: Ransomware as a Service article

Learn how ransomware as a service works.

TechGenix: Ransomware and Microsoft 365 article

Read more about how ransomware could attack data stored in Microsoft 365.

TechGenix: Article about ransomware

Find tips for negotiating with ransomware gangs.

CISA: Ransomware Prevention Resources

Discover CISA’s ransomware prevention resources.

Check Point Software: Ransomware Attacks Article

Read more about how ransomware attacks work.

FBI: Guide to Avoiding Ransomware

Discover the FBI’s tips for avoiding ransomware.

Leave a Reply

Your email address will not be published. Required fields are marked *